Risk management, strategy and analysis from DeloitteCONTENT FROM OUR SPONSORPlease note: The Wall Street Journal News Department was not involved in the creation of the content below.

Text Size

Regular

Medium

Large

Google+

Print

How Agile Internal Audit Can Add Value

Internal auditor groups are continually challenged to provide more value to stakeholders while enhancing organizational influence and impact. Stakeholders are demanding more efficient assurance, deeper insights, and greater anticipation of risks.

Sandy Pundmann

Many efforts to address these challenges, however, are not working—or not working quickly enough. Instead of sporadic initiatives and piecemeal solutions, internal audit departments need an updated approach and framework. An agile internal audit can provide methods that work to change both the mindset of internal auditors and their work processes.

Based on a software development framework, agile internal audit is the mindset an internal audit function adopts to focus on stakeholder needs, accelerate audit cycles, drive timely insights, reduce wasted effort and generate less documentation. Agile prompts internal auditors and stakeholders to determine upfront the value to be delivered by an audit or project and helps prioritize both based on importance, urgency and readiness to undertake the work. Further, reporting in the context of agile doesn’t focus on solely on documenting the work but rather on providing meaningful insights and documenting “just enough” to support the insights.

Sarah Adams

Any organization aiming to solve for current challenges and pain points should consider an agile internal audit approach. The agile IA framework can drive completion of more audits in the same—or less—time, promote closer relationships with stakeholders, and deliver more relevant, higher-impact reports with less time spent on documentation. The approach also enables internal auditors to respond quickly and effectively as strategies, priorities, technologies, competitors, regulations and risks evolve.

Coupling Mindset and Process

Challenges occur when any group tries to pursue new outcomes without shifting both the mindset of the group and its stakeholders and the process for producing the outcomes. However, coupling mindset and process can be achieved by focusing on clearer outcomes, increased engagement and improved documentation.

Ranjani Narayanan

—Clearer outcomes. Agile internal audit methods aim to confirm or disprove a hypothesis or support a point of view (mindset shift) rather than, for example, focusing on open-ended reviews or audits in search of findings. That way, the audit or project targets an outcome, which guides the fieldwork and reporting (process shift).

—Improved documentation. Instead of feeling the need to explain every step taken and justify it through exhaustive documentation (mindset shift), agile internal audit frameworks can deliver briefer, timelier, insightful reports with fewer words and more visuals (process shift).

Organizations also may want to develop an agile internal audit manifesto, which should be aspirational as well as practical. As one of the first efforts in adopting the agile, the exercise of developing a manifesto may be more valuable than the manifesto itself. Also, the manifesto is not set in stone. Goals or aspirations can be added, deleted or modified as team members gain experience with agile methods.

Four Key Concepts

Understanding how a few agile practices apply to internal auditing can provide a glimpse into the methodology’s transformative power.

—Audit backlog. The agile internal audit methodology, versus a rigid audit plan, maintains an audit backlog—a continually updated list of areas to be audited. Items on the list can initially be a bit vague about targeted outcomes and desired timing. Then, as internal auditors and the stakeholder refine those details, the item moves up the list until the work is ready to be undertaken.

—Definition of ready. A definition of ready (DoR) for an item on the backlog exists when internal audit and the stakeholder agree on what will be tested, examined or reviewed; on the goal of the work; and the value to be delivered. Also, the internal audit function must have the resources ready to conduct the audit. When the DoR has been met, internal audit begins its work on the audit or project.

—Sprints. When the internal audit function’s work begins, the item moves off the audit backlog and the tasks associated with that audit are divided into sprints. Sprints are time-boxed intervals in which tasks must be completed. Sprints provide a process, structure and cadence for the work. A time box—the time the team gives itself to complete a task or set of tasks—should provide the motivation of a tight deadline without stressing resources.

—Definition of done. The definition of done (DoD) defines the value to be delivered in a sprint. A DoD can be expressed as a level of assurance; a set of completed tasks; a list of identified issues, risks or recommendations; or a report or draft report—whatever works for the team. The DoD should not be lengthy or complex or it will not work at the level of a sprint.

These four elements structure activities and timeframes in ways that allow for changes in direction and resources as new information is discovered. This is a more practical way of structuring many, though not all, audits and projects because the final goal and the work to be done are often not fully known at the outset.

For example, if a basic level of assurance is all that’s required, and that level is reached after one sprint, the internal audit group can issue a brief report to that effect and move on to the next item on the audit backlog. Conversely, if the work reveals a need to dig deeper, the internal audit team can work with the stakeholder and proceed accordingly.

The power of an agile internal audit methodology lies in its transformative approach. This is not change for its own sake, nor is it an end in itself. It is a means to an end, and it is up to each internal audit group and organization to define that end.

Related Deloitte Insights

Cyber risk is a top-level business risk that boards may find challenging to oversee and difficult to address. By using a maturity model for board stewardship of cyber risk and understanding the actions available at each level of maturity, boards can accelerate their transition from awareness to meaningful oversight. Understand how cyberattacks can impact a business, what elements effective programs have in common, and issues and question boards should consider, including requiring management to provide a set of key risk indicators for quickly ascertaining the state of cybersecurity in the organization.

An organization’s reputation is among its most valuable assets. Using a range of levers, from technologies and engagement with management to CEO succession planning, boards have at their disposal mechanisms to monitor, safeguard and enhance their organization’s reputation. Chuck Saia, CEO, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP, discusses three areas on which boards can focus to help organizations develop a resilient reputation, particularly in the current environment, where it is essential to take risks to create value while avoiding those that could erode it.

The ever-growing use—and misuse—of increasingly complex algorithms has elevated this technology risk to the board level. Algorithmic risk can adversely affect an organization in many ways, ranging from brand and reputation damage to financial and regulatory concerns. Boards should also recognize the positive impacts of algorithms and help guide organizations toward a risk-aware mindset to harness the power of algorithms effectively.

Views & Analysis

From a regulatory perspective, the lines between fintech and traditional financial institutions are starting to blur, bringing greater regulatory expectations, along with potential penalties and legal actions for noncompliance. Regardless of whether fintech companies decide to become a bank chartered institution, they can increase their potential for success by having solid risk management controls in place. That differentiation might open doors to market share and revenue growth, as well as provide a level of comfort to a variety of stakeholders.

Effective governance remains a top focus for U.S. banking sector regulators, with a strong emphasis placed on sustainability, accountability, holistic end-to-end views and conduct. Regulators have been assessing their rules, guidance and supervisory expectations with an eye toward improving the effectiveness of outcomes. As a part of this trend, the Federal Reserve Board is signaling a new age of governance and accountability through recent proposals on board effectiveness, a new rating system for large financial institutions and supervisory expectations for senior management, business line management and independent risk management and controls.

In 2018 banks are focused on becoming more strategically oriented, technologically modern and operationally agile. To do that they will have to address multiple challenges, including a restive customer base, regulations, legacy systems, disruptive models and technologies, new competitors, cyber risk and workforce transformation. Priorities and potential solutions will vary by business line. Scott Baret, vice chairman, U.S. Banking & Capital Markets leader, Deloitte & Touche LLP, discusses how these challenges are impacting retail and commercial banks, wealth management firms, and payments and capital markets businesses.

Editor's Choice

As chief risk officer of American Express, Paul Fabara is remaking compliance and risk management by driving the use of technology and data analysis, including development of an early-warning system to detect potential risks. He discusses how he has worked with the business units and board to carve out a new role for compliance and risk and how the functions have ramped up to contribute to decision-making at the operational and strategic levels, with Ash Raghavan, principal, Deloitte Risk and Financial Advisory, Deloitte & Touche LLP.

Nearly 40% of North American CFOs participating in Deloitte’s fourth-quarter 2017 CFO Signals™ survey say their company will take above-normal risks in pursuit of higher returns, up from 25% a year ago, and 63% say now is a good time to be taking on greater risk. Sanford Cockrell III, national managing partner of Deloitte’s U.S. CFO Program, notes that CFOs’ optimism about their own companies’ prospects rebounded to the third-highest level in the survey’s history. Still, some CFOs have some concerns about constraints to their organization’s performance, including talent challenges.

Developments in 2017 demonstrate the range and depth of the challenges facing boards. Perennial challenges include strategy, risk, compensation, shareholder engagement and regulatory uncertainty. Adding to the list are board composition, social responsibility, technology risk, culture risk and the combination of innovation and disruption. Learn more about what investors, regulators and other constituencies may expect boards to address in the year ahead.

About Deloitte Insights

Deloitte’s Insights for C-suite executives and board members provide information and resources to help address the challenges of managing risk for both value creation and protection, as well as increasing compliance requirements.